Unless you've been living in a bubble without access to the news or Internet for the past 3 months, you've heard about the massive security breach that Target suffered. Hackers were able to get into Target's computer system and download over 110 million credit and debit card numbers. While we don't know who these 110 million lucky winners are, you can rest assured that if you weren't in that group, someone very close to you was.
Last week, more details on how the attack occurred were released. Apparently, Fazio Mechanical, a HVAC contractor who does work for Target, had someone hack into one of their PC's through a targeted phishing attempt. Fazio's systems were set up with certain access to Target's system to communicate work orders, invoices, etc. The hackers used that connection to access Target's database containing credit card numbers, and somehow downloaded it all from there. This is shameful at best.
Without knowing anything about Fazio Mechanical other than the fact that they're located in Sharpsburg, PA, and are an HVAC contractor, they are not to blame. They were specifically targeted (no pun intended) with phishing emails which got a user to inadvertently install malware on their computer, granting access to the hackers. Assuming that they had up-to-date anti-malware software, email filtering, and security settings; nothing is 100%, especially against custom written malware specifically for one company. The user fell for the phishing.
While I don't know the specifics on how Fazio's and Target's systems were linked, I assume it's not so different from the thousands of companies have their systems talking to each other, either through web services such as XML, or as most of my wholesale clients know it, the generic term "EDI". In fact, all of the major retailers require their vendors to communicate invoices, shipping notices, and more exclusively through their EDI systems. I'm sure whatever interface Fazio connects to at Target is also used by hundreds of other companies.
So there are 2 things that bother me most about this incident. Firstly, how could Target's systems be designed so poorly as to give Fazio, a simple HVAC contractor, more access than they should have? All of these web services and EDI systems are supposed to allow only certain types of data to flow back and forth - essentially working in a form-like manner. While nothing is perfect, there should be fail-closed mechanisms in place, not fail-open.
Secondly, even if Fazio's connection was compromised to access data outside of their normal scope, how could it get so far to the customer credit card records? I'm sure Target has massive amounts of data spread amongst hundreds of databases and thousands of servers. Is there really no security within the network, only at the perimeter? Furthermore, PCI compliance requires properly protecting stored credit card data. At rest data encryption is not all that hard to implement, and would have saved those 110,000,000 people the headaches here. I'd love to know when Target last had a PCI Compliance Audit performed. Right about now, I wouldn't want to be Target's CIO.
Unfortunately, this isn't the first time a company was hacked and sensitive customer information was stolen, and certainly won't be the last (since the Target incident in December, a few other retailers, albeit smaller ones, have announced similar breaches).
Just because your company isn't as large as Target, you still need to take the proper precautions to make sure you aren't next:
- Security systems. This includes Anti-virus, anti-malware, email filtering, patch management, security policies, Internet content filtering. Every company needs all of this and it has to be managed, monitored and updated regularly.
- Training & user awareness. Even with everything I just mentioned, users must know safe computing practices. Social engineering is the most common way hackers gain access to networks. It's like driving: just because you wear a seatbelt and have airbags, doesn't mean you should text while driving.
- Backups. There are two types of people in this world: those who have lost data, and those who will lose data. No security is 100%, and no company can survive if critical data is lost. Make sure you have good backups of your systems and data. If you aren't sure and haven't tested those backups, stop and do it now. Trust me on this one.
I'm curious to hear what you think, send comments to mtabush[at]tabush[dot]com. That’s all for now.